[Zope-Checkins] CVS: Zope/doc - CHANGES.txt:1.625.2.126
Sidnei da Silva
sidnei at awkly.org
Wed Mar 31 10:57:48 EST 2004
Update of /cvs-repository/Zope/doc
In directory cvs.zope.org:/tmp/cvs-serv5616/doc
Modified Files:
Tag: Zope-2_7-branch
CHANGES.txt
Log Message:
Apply patch by Josh LaPlace. Makes DAV 'supportedlock' actually check if the object implements the WriteLockInterface.
=== Zope/doc/CHANGES.txt 1.625.2.125 => 1.625.2.126 ===
--- Zope/doc/CHANGES.txt:1.625.2.125 Sun Mar 28 06:11:46 2004
+++ Zope/doc/CHANGES.txt Wed Mar 31 10:57:17 2004
@@ -64,14 +64,21 @@
Bugs Fixed
+ - WebDAV property values were not being properly escaped on
+ 'propstat'.
+
+ - WebDAV 'supportedlock' was not checking if the object did
+ implement the WriteLockInterface before returning it's
+ value.
+
- FTP download speed was very slow because the buffer size used
for the feeding of data into asyncore was very small. Increasing
it to a "normal" amount sped up FTP downloads by ~ 100X.
- OFS.Image's insanely long index_html method was factored out
into several parts.
-
- - ZCatalog result/brain methods getPath() and getObject() now properly
+
+ - ZCatalog result/brain methods getPath() and getObject() now properly
propagate database conflict errors which should eliminate spurious
missing results on busy servers.
@@ -79,7 +86,7 @@
- ObjectManager no longer raises string exceptions.
- - Collector #1260: Testing/__init__.py no longer changes the
+ - Collector #1260: Testing/__init__.py no longer changes the
INSTANCE_HOME.
- App.config.setConfiguration() did not update the legacy source
@@ -88,7 +95,7 @@
- Collector #1255: getWrappedOwner() must return None if the object
is owned by the UnownableOwner.
- - Collector 434: meta-refresh on web-based restart was set too low,
+ - Collector 434: meta-refresh on web-based restart was set too low,
and would often try to hit the server too soon on slower machines,
displaying a 500 error, which caused people to panic. It was
5 seconds, it's now 10.
@@ -100,10 +107,10 @@
- Stop testrunner.py from recursing into the 'build-base' directory
created by setup.py.
- - Pass along command line args to scripts called via "zopectl run".
+ - Pass along command line args to scripts called via "zopectl run".
This allows you to use scripts which require arguments using
zopectl run. If you do "zopectl run scriptname.py arg1 arg2", the
- value of sys.argv within the script will consist of
+ value of sys.argv within the script will consist of
['scriptname.py', 'arg1', 'arg2'].
- The security-policy-implementation directive had no effect.
@@ -149,16 +156,16 @@
Bugs Fixed
- One of the 2.6.3 fixes added a previously missing security check
- when binding 'context' and 'container' to Python Scripts. Because
- many existing scripts appear in containers that users cannot access,
- this caused a lot of unauthorized errors in existing (mostly CMF)
- sites, since 'container' is bound by default. The fix has been
- adjusted so that an unauthorized is only raised if the bound name
+ when binding 'context' and 'container' to Python Scripts. Because
+ many existing scripts appear in containers that users cannot access,
+ this caused a lot of unauthorized errors in existing (mostly CMF)
+ sites, since 'container' is bound by default. The fix has been
+ adjusted so that an unauthorized is only raised if the bound name
is actually used in a script, making backward compatibility much
better.
- Collector #1154 / # 615: interaction with sessions could cause
- the security context to be discarded, potentially breaking scripts
+ the security context to be discarded, potentially breaking scripts
that depend on proxy roles.
- Stopped overriding the version of xmlrpclib in the Python
@@ -166,8 +173,8 @@
includes all the features Zope needs, plus bugfixes and
integration with new Python types.
- - A pre-existing bug that could cause subtly different results
- when calling the C vs. Python version of validate() through the
+ - A pre-existing bug that could cause subtly different results
+ when calling the C vs. Python version of validate() through the
authorize() method of a UserFolder was found and fixed.
- An inadvertant change to the behavior of Owned.getOwner was
@@ -200,9 +207,9 @@
duplicate README.txt "products" upon startup in a default
installation.
- - XMLRPC queries failed due to a missing import.
+ - XMLRPC queries failed due to a missing import.
- - Forward-ported Toby's unicode encoding hacks for propertysheets
+ - Forward-ported Toby's unicode encoding hacks for propertysheets
from the 2.6 branch.
- Some potential refcount issues in cAccessControl.c were fixed.
@@ -214,9 +221,9 @@
Default config file changes
- - Zope no longer creates "default" ZODB databases if none exist in
- the zope config file. At least one database (the root database,
- at mount-point /) must be specified in zope.conf for Zope to start
+ - Zope no longer creates "default" ZODB databases if none exist in
+ the zope config file. At least one database (the root database,
+ at mount-point /) must be specified in zope.conf for Zope to start
properly now. In zope.conf files generated by older 2.7 betas,
just uncomment the "main" and "temporary" zodb_db definitions
in the zope.conf file to be in parity with what would have been
@@ -270,80 +277,80 @@
the configuration file didn't work. The ZOPE_SECURITY_POLICY
environment variable is no longer honored.
- - Browsers that do not escape html in query strings such as
- Internet Explorer 5.5 could potentially send a script tag in a
+ - Browsers that do not escape html in query strings such as
+ Internet Explorer 5.5 could potentially send a script tag in a
query string to the ZSearch interface for cross-site scripting.
- FilteredSets (used within TopicIndex) are defined via an expression,
which was naievely eval'ed.
- - The ZTUtils SimpleTree decompressed tree state data from the
- request without checking for final size, which could allow for
+ - The ZTUtils SimpleTree decompressed tree state data from the
+ request without checking for final size, which could allow for
certain types of DoS attacks.
- - Inadequate security assertions on administrative "find" methods
+ - Inadequate security assertions on administrative "find" methods
could potentially be abused.
- - Some improper security assertions on DTMLDocument objects could
+ - Some improper security assertions on DTMLDocument objects could
potentially allow access to members that should be protected.
- - Class security was not properly intialized for PythonScripts,
- potentially allowing access to variables that should be protected.
- It turned out that most of the security assertions were in fact
- activated as a side effect of other code, but this fix is still
- appropriate to ensure that all security declarations are properly
+ - Class security was not properly intialized for PythonScripts,
+ potentially allowing access to variables that should be protected.
+ It turned out that most of the security assertions were in fact
+ activated as a side effect of other code, but this fix is still
+ appropriate to ensure that all security declarations are properly
applied.
- - The dtml-tree tag used an "eval" of user-supplied data; its
+ - The dtml-tree tag used an "eval" of user-supplied data; its
efforts to prevent abuse were ineffective.
- - XML-RPC marshalling of class instances used the instance
- __dict__ to marshal the object, and could include attributes
- prefixed with an underscore name. These attributes are considered
+ - XML-RPC marshalling of class instances used the instance
+ __dict__ to marshal the object, and could include attributes
+ prefixed with an underscore name. These attributes are considered
private in Zope and should generally not be disclosed.
- - Some property types were stored in a mutable data type (list) which
- could potentially allow untrusted code to effect changes on those
- properties without going through appropriate security checks in
+ - Some property types were stored in a mutable data type (list) which
+ could potentially allow untrusted code to effect changes on those
+ properties without going through appropriate security checks in
particular scenarios.
- - Inadequate type checking could allow unicode values passed to
- RESPONSE.write() to be passed into deeper layers of asyncore,
- where an exception would eventually be generated at a level that
+ - Inadequate type checking could allow unicode values passed to
+ RESPONSE.write() to be passed into deeper layers of asyncore,
+ where an exception would eventually be generated at a level that
would cause the Zserver main loop to terminate.
- - The variables bound to page templates and Python scripts such as
- "context" and "container" were not checked adequately, allowing
- a script to potentially access those objects without ensuring the
+ - The variables bound to page templates and Python scripts such as
+ "context" and "container" were not checked adequately, allowing
+ a script to potentially access those objects without ensuring the
necessary permissions on the part of the executing user.
- - Iteration over sequences could in some cases fail to check access
- to an object obtained from the sequence. Subsequent checks (such
- as for attributes access) of such an object would still be
- performed, but it should not have been possible to obtain the
+ - Iteration over sequences could in some cases fail to check access
+ to an object obtained from the sequence. Subsequent checks (such
+ as for attributes access) of such an object would still be
+ performed, but it should not have been possible to obtain the
object in the first place.
- - List and dictionary instance methods such as the get method of
- dictionary objects were not security aware and could return an
- object without checking access to that object. Subsequent checks
- (such as for attributes access) of such an object would still be
- performed, but it should not have been possible to obtain the
+ - List and dictionary instance methods such as the get method of
+ dictionary objects were not security aware and could return an
+ object without checking access to that object. Subsequent checks
+ (such as for attributes access) of such an object would still be
+ performed, but it should not have been possible to obtain the
object in the first place.
- - Use of 'import as. in Python scripts could potentially rebind
- names in ways that could be used to avoid appropriate security
+ - Use of 'import as. in Python scripts could potentially rebind
+ names in ways that could be used to avoid appropriate security
checks.
- A number of newer built-ins (min, max, enumerate, iter, sum)
were either unavailable in untrusted code or did not perform
adequate security checking.
- - Unpacking via function calls, variable assignment, exception
- variables and other contexts did not perform adequate security
- checks, potentially allowing access to objects that should have
+ - Unpacking via function calls, variable assignment, exception
+ variables and other contexts did not perform adequate security
+ checks, potentially allowing access to objects that should have
been protected.
- - DTMLMethods with proxy rights could incorrectly transfer those
+ - DTMLMethods with proxy rights could incorrectly transfer those
rights via acquisition when traversing to a parent object.
- Range searches with KeywordIndexes did not work with record-style
@@ -432,7 +439,7 @@
- AccessControl.User used a misleading string exeception,
'NotImplemented', which shadowed the Python builtin.
- - Collector #1112: logfile reopening didn't work.
+ - Collector #1112: logfile reopening didn't work.
- Collector #1110: Under Python 2.3, some DateIndex tests were failing.
@@ -532,7 +539,7 @@
- PathIndex and TopicIndex are now using a counter for the number
of indexed objects instead of using a very expensive calculation
- based on the keys of their indexes.
+ based on the keys of their indexes.
- Collector #1039: Whitespace problem in Z2.log fixed
@@ -603,7 +610,7 @@
* i18n and metal interactions
- * fix handling of nested translations with tal:content/replace
+ * fix handling of nested translations with tal:content/replace
and i18n:name
- Collector #1017: reST has been broken
@@ -618,8 +625,8 @@
* i18n:attributes="value msg_id;" (with semicolon) will always be
treated as <attr> <msg_id>
- * i18n:attributes="value title" will be treated as <attr> <attr>
- as long as title exist as attribute (both as static or in
+ * i18n:attributes="value title" will be treated as <attr> <attr>
+ as long as title exist as attribute (both as static or in
tal:attributes) plus deprecation warning
- deny attributes being both part of tal:attributes
@@ -636,8 +643,8 @@
- ZConfig didn't report a line number and munged capitalization
of replacement keys when a replacement error was provided.
- - log-to-stderr on startup will now emit messages to the console at
- the lowest logging level defined by any of the handlers in the
+ - log-to-stderr on startup will now emit messages to the console at
+ the lowest logging level defined by any of the handlers in the
eventlog section.
- entirely removed warning when the starting user's umask is "too
@@ -646,9 +653,9 @@
- debug-mode config file option did not work.
- - ZClasses that subclassed ObjectManager that were created in
- earlier versions of Zope would not load under 2.6, due to
- the new Interfaces package. Added back a simple stub module
+ - ZClasses that subclassed ObjectManager that were created in
+ earlier versions of Zope would not load under 2.6, due to
+ the new Interfaces package. Added back a simple stub module
and changed a constructor to allow these ZClasses to work.
- Bugfix: if zopectl is run as the root user, the debug, run, and
@@ -769,8 +776,8 @@
- Collector #953: fixed namespace collision with form_title in ZMI
- - Collector #342: Avoiding insertion of a BASE tag for file objects
- with content-type text/html
+ - Collector #342: Avoiding insertion of a BASE tag for file objects
+ with content-type text/html
- Windows installer properly deletes pyc/pyo files on uninstall.
@@ -806,7 +813,7 @@
available via this module, alternate locations are deprecated,
though will to be supported for Zope 2.7.
- - Collector #435: Support for passwords encoded using MySQL's
+ - Collector #435: Support for passwords encoded using MySQL's
PASSWORD() function add to lib/python/AccessControl/AuthEncoding.py.
- Collector #167: Support __getattr__ on cAccessControl PermissionRole
@@ -824,12 +831,12 @@
Datetime constructor has a new "datefmt" parameter to enforce the
parsing of a date as "us" or "international" date. The new field
descriptor field descriptor "date_international" can be used to
- enforce this behaviour inside the ZPublisher. See also
- doc/ENVIRONMENT.txt to check with the DATETIME_FORMAT
+ enforce this behaviour inside the ZPublisher. See also
+ doc/ENVIRONMENT.txt to check with the DATETIME_FORMAT
- KeywordIndex, FieldIndex and ZCTextIndex are now able to index more
than one attribute of an object. This removes the ties between the
- indexes ID and the attribute name to be indexed.
+ indexes ID and the attribute name to be indexed.
- Integration of reStructuredText (reST) and the ZReST product
by Richard Jones. See doc/RESTRUCTUREDTEXT.txt for details.
@@ -892,8 +899,8 @@
This restricts access to the Control_Panel and especially
to the Products management to trusted users.
- - Rename, Cut & Delete operations on locked objects (WebDAV) are
- no longer permitted and will raise an exception. Copies of
+ - Rename, Cut & Delete operations on locked objects (WebDAV) are
+ no longer permitted and will raise an exception. Copies of
locked objects are copied without lock.
- Collector #634: Image objects can now be rendered without border
@@ -907,15 +914,15 @@
- Collector #686: intSets no longer lose their values.
- - Collector #685: Improved documentation explaining how, where and
+ - Collector #685: Improved documentation explaining how, where and
why security assertions should be placed in:
lib/python/Products/PythonScripts/README.txt
lib/python/Products/PythonScripts/module_access_examples.py
- - The ZEO unit tests and wo_pcgi.py didn't run on Windows if the path
+ - The ZEO unit tests and wo_pcgi.py didn't run on Windows if the path
to the python executable included a space.
- - Some calls to os.system('chmod') has been replaced with the more
+ - Some calls to os.system('chmod') has been replaced with the more
portable os.chmod() call, to make install work properly on Windows.
- Fixed an isinstance() check in SimpleItem on standard_error_message
@@ -970,10 +977,10 @@
permission to join or leave versions to run a request in a
version.
- - Fixed a problem with potentially mis-acquiring 'func_code' in
+ - Fixed a problem with potentially mis-acquiring 'func_code' in
publisher BeforeTraverse hook.
- - Fix for issue 683: Image cache manager headers were not sent
+ - Fix for issue 683: Image cache manager headers were not sent
when an image request returned a 304 (in response to an if-mod-since
request).
More information about the Zope-Checkins
mailing list